Auditing my own agency's website with Claude
Claude audited my agency's site and found our three money pages were hidden from Google. Fixed same day.
humbearmedia.com ↗## the problem
I run a marketing agency. Which means my own website was the cobbler's kid: 29 active plugins, two cookie consent managers, two backup tools, two snippet managers, a caching plugin built for a web server I do not even run, and a white-labeled SEO platform I was paying for that gave me dashboards but no real picture of what was actually in my HTML.
I did not want another tool score. I wanted someone to crawl every URL, read the raw markup, test the forms like a real visitor, and tell me what was broken and why, in priority order. Tools report symptoms. I needed root causes, and I needed the fixes shipped, not listed.
So I pointed Claude Code at the site with a logged-in browser session and let it run the full loop: crawl, analyze, prioritize, fix, verify. What it found in the first few hours justified the whole exercise.
## what I built
Not an app this time. A complete technical, SEO, security, and conversion audit of humbearmedia.com, run by Claude Code against the live production site, with the highest-impact fixes applied and verified in the same session. The deliverables are a findings log with more than 40 issues in issue, severity, location, root cause, fix, impact format, a final prioritized report, a per-page SEO table covering 63 URLs, and a set of reversible PHP snippets deployed through the Code Snippets plugin.
The headline find: the About, Lead Generation, and Contact pages, the three pages in my main nav that actually make money, were all serving a noindex robots tag. They could not appear in Google at all. Leftover staging settings on rebuilt pages. On top of that, Claude caught the white-labeled SEO toolkit I was paying for injecting its own hardcoded robots meta tag on every page, conflicting with Yoast. The tool that was supposed to manage my SEO was polluting my markup, and nothing in its dashboard told me.
The audit also turned into a roadmap. After the fixes, Claude synthesized everything into a full rebuild vision for the site: positioning, page architecture, a kill list of compliance-risky copy, and a phased build sequence.
## how Claude was actually used
- 01
Crawl and recon
I gave Claude Code a Chrome session logged into wp-admin plus anonymous fetch access. It swept 64 internal URLs from the sitemap and nav, capturing HTTP status, redirect chains, and live HTML for each. Zero broken pages, but six sitemap URLs were 301-redirecting into ugly duplicate slugs, which became its own finding.
- 02
Per-page SEO extraction in parallel
A parallel sub-agent fetched all 63 pages anonymously and parsed title, meta description, canonical, robots, H1 count, schema, Open Graph tags, and word counts into one table. Duplicate content across the templated city pages was measured with small Node scripts using 6-gram Jaccard similarity, which flagged near-duplicate thin pages with up to 47 percent body overlap.
- 03
Environment and plugin audit
Claude pulled the full stack picture from WordPress Site Health: WordPress 7.0, PHP 8.3, MariaDB still on latin1, 29 active plugins. It mapped the overlaps, two consent plugins, two snippet managers, two backup systems, Elementor Pro running alongside a GPL clone of itself, and LiteSpeed Cache on an nginx host where its page cache does nothing.
- 04
Runtime tracking audit
Instead of trusting plugin settings, Claude checked what actually fires in the browser and what sits in the raw HTML. It found two GA4 properties double-counting every pageview, no Meta Pixel installed at all on a site that runs paid social, and then a mismatch between the pixel ID configured in the pixel plugin and the dataset in Events Manager. It corrected the ID and verified the right pixel appeared in the homepage HTML.
- 05
Catching the white-labeled SEO tool
While verifying the noindex fixes, Claude noticed every page had two robots meta tags. The second came from my white-labeled SEO toolkit, which is Search Atlas OTTO under the hood, hardcoded to output index on every page regardless of the page's real setting. I made the call to keep Yoast as the single SEO authority, Claude deactivated the toolkit, then re-verified that every page serves exactly one robots tag.
- 06
Form testing as a real visitor
Claude submitted a clearly labeled test lead through the HighLevel form embed. The submission worked, but the consent checkbox literally read Insert Business Name and the marketing opt-in said YOUR COMAPNY NAME, typo included, at the exact moment a prospect decides to trust you. I chose to drop the embed. Claude built a native Elementor form in its place and verified a test submission landed in my inbox end to end.
- 07
Fixes as reversible snippets
Every production change went through the Code Snippets plugin after a database backup, so each one can be deactivated in one click. That covered the security hardening, blocking REST user enumeration, disabling XML-RPC pingback and multicall while keeping Jetpack alive, adding security headers, plus later snippets for redirect consolidation of duplicate pages, forcing internal links to dofollow, and filling missing image alt text.
- 08
Report, prioritize, plan the rebuild
Claude wrote the findings into a severity-ranked log and a final report split into fixed-and-verified versus a prioritized backlog. A week later it synthesized the audit, plus market research passes, into a rebuild vision document: new page architecture, claims-safe copy rules, and a kill list of risky marketing language already on the site.
## stack
## results (the verifiable kind)
- ✓64 internal URLs crawled with zero broken pages; more than 40 issues documented across 7 areas in the findings log, plus a per-page SEO table covering 63 URLs.
- ✓Three core nav pages, About, Lead Generation, and Contact, were live with noindex robots tags. All three were switched to indexable and verified live the same day.
- ✓The white-labeled SEO plugin was caught injecting a second, conflicting robots meta tag on every page. After deactivating it, every page serves exactly one robots tag, verified post-change.
- ✓Security hardening shipped and verified from the outside: the REST users endpoint that leaked login slugs now returns 404, XML-RPC pingback and multicall are disabled with Jetpack intact, and four security headers were added.
- ✓The contact form showing literal template placeholder text in its consent language was replaced with a native form, and a test submission was verified delivered to the inbox end to end.
- ✓All changes shipped as reversible snippets after a database backup. Follow-up fix sessions ran through June 6, 2026 per file timestamps, and a rebuild plan proposing a new eight-page site architecture was drafted June 11.
## what I learned
- →The worst SEO problems were self-inflicted and invisible in dashboards. Noindex tags left over from a page rebuild and two plugins fighting over who outputs meta tags. No keyword research required, just actually reading the HTML the site serves.
- →Pick one SEO authority. Yoast and the white-labeled toolkit both writing robots tags meant the markup was invalid everywhere and any noindex I set could be contradicted. One source of truth, verified in the raw HTML, beats two platforms with prettier reports.
- →What did not work: PageSpeed and Lighthouse were rate-limited without an API key, so the audit shipped with no Core Web Vitals scores. The browser automation also could not force a mobile viewport, so mobile rendering was checked structurally rather than visually. And file-level backups errored on the managed host, so the pre-change safety net was a database backup plus platform snapshots.
- →Verify every fix from outside the cache. Batcache kept serving stale HTML, so anonymous checks said fixes were not live when they were. Logged-in cache-bypassing fetches were the only reliable verification, and the security headers still only apply on cache misses until they are set at the platform edge.
- →Test conversion paths as a human would. A crawler would never have caught that the consent checkbox said Insert Business Name. Submitting a labeled test lead surfaced the single most embarrassing finding of the whole audit.
$ follow --the-build
Watch it happen, don't take my word for it
Every build on this site gets documented as it happens — the prompts, the dead ends, the results. No course at the end of this funnel. There is no funnel.
follow on x →